In my line of work, I have a lot of responsibility. Not only am I responsible for the internal security program, but I also dedicate time to help ensuring our clients understand how to build robust, defense-centric security programs of their own. Many times this involves cutting through the fear, uncertainty, and doubt (FUD) and helping my customers focus on proven defensive strategies instead of a shiny box (and I usually end up saving them money as well). I also make myself available to assist in incident response, which is what influenced me to write this.
I’ve worked dozens of incidents over the past few years, and on Friday I got a very familiar call. “We’ve been hacked… can you come help us figure out what happened?” Of course, my answer is “Absolutely” and I grab my gear and jet. Here’s the thing: the cause of this incident is the exact same cause as the last eight incidents I’ve worked, and I want to see us get better.
Business Email Compromise
It’s a common scenario now: User gets believable phishing email, user enters credentials, attacker pilfers through their inbox (at a minimum). Sometimes the attackers coerce third-parties to change routing information for bank wires, other times attackers set up automatic forwarding rules to effectively dump the user(s) mailbox(es) to the attacker’s inbox. Sometimes they pose as a legitimate employee or trusted third party to gain access to information (or to con someone out of money). Regardless of the motivation, it’s been the cause of the majority of the incidents I’ve worked.
Mitigating the Risk
How many times have you heard “If they had only done the basics and patched their systems!”? Patching won’t help you here. What about multi-factor authentication? Depending on how it’s configured, attackers can bypass MFA/2FA. How about a fancy next-gen firewall? Again, depending on configuration (and I need to write another article about this topic alone), you may not be blocking the domain that the attacker just registered last week and hasn’t been classified yet. How about removal of local admin? While considered a basic tenant of good security hygiene (least privilege), ransomware doesn’t care about local admin. So what’s the answer?
How Strong is Your Human Firewall?
One thing that drives me nuts is when technical staff blame users for something they deem as “stupid.” Folks who don’t have the experience in IT, don’t have a passion for IT, and their career isn’t in IT, and yet we expect them to understand? It’s nonsense. The only way we truly get better is to train our most valuable asset, the asset that attackers are targeting: our employees.
As many of us know, the security of our organization relies on people, process, and technology. If we put all our eggs in the last basket, it’s a lost cause. Our people need proper training to know how to identify phishing emails, what the impact is, and how to properly handle these attack attempts. Without that, how can you honestly blame an employee for putting their credentials into a phishing email, or double clicking an attachment, or changing bank wire instructions, when you’ve never trained them?
Hands On Training
25%. That’s the average percentage of employees that will interact with a phishing email. That’s not some “industry average”, that’s what I’ve personally seen in my training campaigns. If you’re not comfortable with 25% of your staff giving their credentials to an attacker, perhaps you should consider training your employees. Consider again that for the last 2 years, all of the incidents I worked involved business email compromise. Consider that no mixture of technical controls will ever compensate for under-trained staff.
If you’d like to know more about how you can protect your investment, contact me. Shoot me an email at firstname.lastname@example.org and let’s get the conversation going. We even provide a free phishing test so you can see for yourself just how vulnerable your organization is.
My goal is to help all of us get better at defense, and I feel the best way to do that is through education for all levels of technical competency, regardless of job role.
About SH Data Technologies
SH Data Technologies provides technology solutions that manage and secure data with unlimited scale. From a Tier III data center in Knoxville, TN, our managed cloud, technology integration, connectivity, security and disaster recovery services provide options to manage and secure your most important data.